P1000 - INFORMATION TECHNOLOGY POLICY / Rev
1.0
P1000 - INFORMATION TECHNOLOGY POLICY
Document Number: / P1000
Effective Date: / JULY 1, 2015
RevISION: / 1.0
1. Authority
To effectuate the mission and purposes of the Arizona Department of Administration (ADOA), the Agency shall establish a coordinated plan and program for information technology (IT) implemented and maintained through policies, standards and procedures (PSPs) as authorized by Arizona Revised Statute (A.R.S.)§ 41-3504.
2. Purpose
The purpose of this policy is to establish governance over Information Technology and ensure that information technology services support the [AGENCY]’s mission, strategy and stakeholder requirements in an efficient and effective manner.
3. Scope
This policy applies to all [AGENCY] and IT integrations and/or data exchange with third parties that perform IT functions, activities or services for or on behalf of [AGENCY]. Applicability of this policy to third parties is governed by contractual agreements entered into between the [AGENCY] and the third party/parties.
4. EXCEPTIONS
4.1 PSPs may be expanded or exceptions may be taken by following the Statewide Policy Exception Procedure.
4.1.1 Existing IT Products and Services
a. [AGENCY] subject matter experts (SMEs) should inquire with the vendor and the state or [AGENCY] procurement office to ascertain if the contract provides for additional products or services to attain compliance with PSPs prior to submitting a request for an exception in accordance with the Statewide Policy Exception Procedure.
4.1.2 IT Products and Services Procurement
a. Prior to selecting and procuring information technology products and services, [AGENCY] SMEs shall consider IT PSPs when specifying, scoping, and evaluating solutions to meet current and planned requirements.
5. ROLES AND RESPONSIBILITIES
5.1 State Chief Information Officer (CIO) shall:
a. Be ultimately responsible for ensuring the effective implementation of Information Technology policies, standards, and procedures (PSPs) within each Budget Unit.
5.2 [AGENCY] Supervisors shall:
a. Ensure users are appropriately trained and educated on PSPs; and
b. Monitor employee activities to ensure compliance.
5.3 Individual IT Users shall:
a. Become familiar with this and related PSPs; and
b. Adhere to all state and PSPs pertaining to the use of the state IT resources.
6. STATEWIDE Policy
6.1 The [AGENCY] shall implement and maintain an IT governance framework consistent with the Arizona Revised Statues and Administrative Rules. To ensure that IT-related decisions are made in line with the [AGENCY]’s strategies and objectives, the [AGENCY] shall ensure that IT-related processes are overseen effectively and transparently and all stakeholder requirements are identified and satisfied (CobiT 5.0, EDM01).
6.1.1 [AGENCY] shall continually identify and engage with the stakeholders, document an understanding of the requirements, and make a judgment on the current and future design of governance of information technology. (CobiT 5.0, EDM01.01).
6.1.1.1 [AGENCY] shall analyze and identify the internal and external environmental factors (legal, regulatory and contractual obligations) and trends in the environment that may influence governance design.
6.1.1.2 [AGENCY] shall consider all applicable Arizona Revised Statutes and Administrative Rules and determine how they should be applied within the governance of IT within [AGENCY].
6.1.1.3 [AGENCY] shall articulate principles that will guide the design of governance and decision making of IT.
6.1.1.4 [AGENCY] shall determine the appropriate levels of authority delegation, including threshold rules, for IT decisions.
6.1.2 With support and buy-in from their Director, [AGENCY] shall guide the structures, processes and practices for the governance of IT in line with agreed-on governance design principles, decision-making models and authority levels. [AGENCY] shall define the information required for informed decision-making (CobiT 5.0, EDM01.02).
6.1.2.1 [AGENCY] shall establish governance structures, processes and practices in line with agreed-on design principles.
6.1.2.2 [AGENCY] shall allocate responsibility, authority and accountability in line with agreed-on governance design principles, decision-making models and delegation.
6.1.3 [AGENCY] shall monitor the effectiveness and performance of their governance of IT and periodically assess whether the governance system and implemented mechanisms (including structures, principles and processes) are operating effectively to provide appropriate oversight of IT (CobiT 5.0, EDM01.03).
6.2 [AGENCY] shall ensure benefits delivery by securing optimal value from IT-enabled initiatives, services and assets; cost-efficient delivery of solutions and services; and a reliable and accurate picture of costs and likely benefits so that stakeholder needs are satisfied effectively and efficiently (CobiT, EDM02).
6.2.1 [AGENCY] shall continually evaluate the portfolio of IT-enabled investments, services and assets to determine the likelihood of achieving [AGENCY] objectives and delivering value at a reasonable cost. [AGENCY] shall identify and make judgment on any changes in direction that need to be given to management to optimize value creation (CobiT 5.0, EDM02.01).
6.2.2 [AGENCY] shall lead value management principles and practices to enable optimal value realization from IT-enabled investments throughout their full economic life cycle (CobiT 5.0, EDM02.02).
6.2.3 [AGENCY] shall monitor the key goals and metrics to determine the extent to which the [AGENCY] is generating the expected value and benefits to the [AGENCY] from IT-enabled investments and services. [AGENCY] shall also identify significant issues and consider corrective actions (CobiT 5.0, EDM02.03).
6.2.3.1 [AGENCY] shall collect relevant, timely, complete, credible and accurate data to report on progress in delivering value against targets. [AGENCY] shall obtain a succinct, high-level, all-around view of portfolio, program and IT performance that supports decision-making, and ensure that expected results are being achieved.
6.3 [AGENCY] shall ensure risk optimization by ensuring that IT-related [AGENCY] risk does not exceed risk appetite and risk tolerance, the impact of IT risk to [AGENCY] value is identified and managed, and the potential for compliance failures is minimized (CobiT 5.0, EDM03).
6.3.1 [AGENCY] shall continually examine and make judgment on the effect of risk on the current and future use of IT in [AGENCY]. [AGENCY] shall consider whether the risk appetite is appropriate and that risk to [AGENCY] value related to the use of IT is identified and managed (CobiT 5.0, EDM03.01).
6.3.1.1 [AGENCY] shall determine the level of IT-related risk that the [AGENCY] is willing to accept to meet its objectives (risk appetite).
6.3.2 [AGENCY] shall ensure the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the Agency’s risk appetite (CobiT 5.0, EDM03.02).
6.3.2.1 [AGENCY] shall promote an IT risk-aware culture and empower the [AGENCY] to proactively identify IT risk, opportunity and potential impacts.
6.3.3 [AGENCY] shall monitor key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and reported for remediation (CobiT 5.0, EDM03.03).
6.4 [AGENCY] shall ensure that the resource needs of the [AGENCY] are met in the optimal manner, IT costs are optimized, and there is an increased likelihood of benefit realization and readiness for future change (CobiT 5.0, EDM04).
6.4.1 [AGENCY] shall continually examine and make judgment on the current and future need for IT-related resources, options for resourcing (including sourcing strategies), and allocation and management principles to meet the needs of the [AGENCY] in the optimal manner (CobiT 5.0, EDM04.01).
6.4.2 [AGENCY] shall ensure the adoption of resource management principles to enable optimal use of IT resources throughout their full economic life cycle (CobiT 5.0, EDM04.02).
6.5 [AGENCY] shall ensure that the communication of IT-related matters to [AGENCY] stakeholders is effective and timely and the basis for reporting is established to increase performance, identify areas for improvement, and confirm that IT-related objectives and strategies are aligned with the [AGENCY]’s strategy (CobiT 5.0, EDM05).
6.5.1 [AGENCY] shall ensure the establishment of effective stakeholder communication and reporting, including mechanisms for ensuring the quality and completeness of information, oversight of mandatory reporting, and creating a communication strategy for stakeholders (CobiT 5.0, EDM05.02).
6.5.2 [AGENCY] shall monitor the effectiveness of stakeholder communication and assess mechanisms for ensuring accuracy, reliability and effectiveness, and ascertain whether the requirements of different stakeholders are met (CobiT 5.0, EDM05.03).
7. Definitions and Abbreviations
Refer to the PSP Glossary of Terms located on the ADOA-ASET website.
8. References
8.1 A.R.S. § 41-3504
8.2 CobiT 5.0, An ISACA Framework
9. Attachments
None.
Page 2 of 5 Effective: JULY 1, 2015